oss-sec mailing list archives
Request CVE for LinuxNode - DoS vulnerability
From: "Iain R. Learmonth" <irl () fsfe org>
Date: Fri, 3 Apr 2015 18:22:23 +0100
Hi, I'm a member of the Debian Hamradio Maintainer's team and a denial-of-service bug has been reported on our package ax25-node. (Debian bug: https://bugs.debian.org/777013) I would like to request a CVE for this vulnerability. The software in this package is identified as LinuxNode in the README contained in the source package. The author is identified as Tomi Manninen OH2BNS, <tomi.manninen () hut fi> although attempts have been made to contact the author and have been unsuccessful, as mentioned in the Debian bug report. https://sources.debian.net/src/node/0.3.2-7.4/README/ From the bug report: "The SIGQUIT routine fails to close the app leaving the IP sockets open and in some cases DDOS the remote site if a user "ctrl-]+q" out of a telnet session. Also the app fails to close and more can be spawned by a crafty malicious user thus bringing the system to a point of no memory available." Brian N1URO on the bug report maintains a replacement node package and I am confident that his report is accurate. He found this vulnerability in 2005, but due to an unresponsive upstream this got lost. This is the first request for a CVE for this vulnerability. This appears to be an issue affecting multiple versions, although I can only say that it is present in 0.3.2. I am happy to provide more information if needed and I can be contacted at: irl () fsfe org Thanks, Iain. -- e: irl () fsfe org w: iain.learmonth.me x: irl () jabber fsfe org t: EPVPN 2105 c: 2M0STB g: IO87we p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49
Attachment:
_bin
Description:
Current thread:
- Request CVE for LinuxNode - DoS vulnerability Iain R. Learmonth (Apr 03)
- Re: Request CVE for LinuxNode - DoS vulnerability cve-assign (Apr 03)
- <Possible follow-ups>
- Re: Request CVE for LinuxNode - DoS vulnerability cve-assign (Apr 06)